 Thank you guys. Yeah, I'm Paul. I'm from Trend Micro. I used to be a developer. I used to be a security guy as well. But now they asked me to, like, I'm running the business already. But OK, please have a seat. Yeah, please get yourselves comfortable. Thank you for listening. I have a question, right? Who's in security here? Anybody dealing with security? Oh, OK. We've got a friend here doing security and security. Right, security. All right. Too much plug, too much plug. Today we're going to be covering about four things. Four things, right? One is, I'm going to talk about general challenge for a security team. Second one is, how do we normalize data, right? Third is, security lake. And then we're going to do some conclusion. OK, this one looks familiar. It looks like this room, right? Anybody know what it is? What is this? The United Nations, right? So in the United Nations, right, there's a lot of nationalities. People talk under languages, right? But you don't know at the background, right? There's a lot of these people. They're translators. So they translate what the guy's saying to the person on the delegation, right? So in security terms, right, it's just like United Nations. You know why? All right, I'll run you through some stuff. Windows logs looks like this. I don't know if you can see it, probably very small. But Windows logs look like this. WC3 logs look like this, right? CEF looks like this. Trend Micro uses CEF. We use this, right? CLF uses this, right? And now they came up, let's move on to JSON, right? JSON is very nice, right? Structured, very easy to understand. But there's another problem. Who watched Silicon Valley here? Silicon Valley. Silicon Valley, right? There's an argument tabs versus spaces, camel case, underscores case. So you have this very, very different stuff. Event ID, event ID, and event. So you got multiple, like multiple, even if you normalize the format, you still have multiple things on describing stuff. If there's an attack, if there's a security incident, there are still multiple ways of describing it. Next, so let's go to the life of the developer or the builder or whoever runs security stuff. So typically what happens is, you got your infra, you got a security tool that spits out logs and the builder reads the logs, right? One, reads the logs. And then you have more stuff. You got network analytics, you got APM, that the builder reads. So you have three consoles already. So how did we solve this, right? How did the industry solve this? They built a sim, right? So you dump everything in the sim, but you always dump all this data. But the problem is, you just saw the logs a while ago, all different. So what do I have to do? I have to normalize it, right? Because I cannot do analysis unless I normalize the data. I cannot analyze the data properly if they're all in different weird formats, right? So this is the current status of any security architect right now, right? We're gonna dump it in all the sim, we're gonna normalize, we're gonna analyze. Can be very expensive, right? Can be very, very expensive. Now, and this is the flow, right? You ingress your data, number one, number two, you normalize, so make sure that it looks all the same. You put it in a proper storage, right? You analyze it and then you take action. So there's five steps, five different, probably five different technologies. And not just that, right? In the normalization, right? Most of the requests that we get from our customers is, hey, do you integrate with this tool? Can you send logs to that tool? Can your log be tweaked so it will work for this tool? It's always been a request, right? So another thing is this guy from IBM says, there's, okay, downstairs I saw some guy using chat GPT, everybody's chat GPT nowadays, but there's no AI without IA, right? There's no AI without information architecture. You cannot build AI models and security tools unless you have proper data, right? So the industry came up with the OCSF, it's called Open Security Schema Framework. It basically tells the industry, guys, please dump your stuff on a specific format. Let's create a standard, right? That everybody will follow so anyone can, can analyze the data properly. So any tool can analyze and ingest data properly, right? So it's open source, right? It's heralded by AWS Plunk and there are a lot of community, I mean, companies who's using this, right? So there are multiple types, right? So like, for example, system activities, findings, event activity, network activity and configuration. So for example, security findings, or for example, somebody does an attack, right? Somebody, there's a malware, there's security finding. There's a format, it's already specified. The variable should be activity underscore ID, not under activity ID, right? I was a developer, sometimes I make mistake on the variables, right? Second one is the device. I have how many endpoints do I have? Endpoint ID, instance ID, all of them are, if you use on-prem, they call it VM ID, right? AWS instance ID, this one will normalize that. And this is an example of vulnerability details, right? It's very specific and it's very prescriptive. So meaning, if you wanna report a vulnerability from one tool to another, it should be exactly the same. Very, very nice, right? So basically, if I'm building a security product and I'm doing security stuff from five steps to three steps, I just ingest data, normalize and store it so I can analyze and I can do action, right? You're reducing the steps before you can remediate or fix anything that you see. Now, this is my favorite, this is my favorite meme. Anybody see this meme? You know this meme? Basically, this joke means there are 14 standards. Let's create another standard to rule them all. You know what happens? There's 15 standards. This is always what happens, right? In the tech industry. So how do they fix this, right? They invited a bunch of 60 cybersecurity companies, vendors to adopt this framework. So Trend Micro is one of them, plug, plug. We're plugging Trend Micro. We are one of them, like adopting this. And the reason why we have to adopt this is we also want the data, right? The data ownership to stay with the customer, right? If you subscribe, security products are going to move to SAS right now. When they move to SAS, where do they store the data? When you subtract Trend Micro, our analytics engine is stored in our AWS account. We use AWS to store our stuff. It's gonna be on our AWS account. Typically, customers will question us, hey, can we store our data? You can analyze it. You can protect us. You can analyze it. But I want the data to be on my account. I want to own that data. So this is a group of people adopting this to make sure that the data is stored by the customer, because technically, you own this. It also save us money because you know, you store in your S3 bucket, not in our bucket, right? Right, so next conversation, security leak. This is something that has been announced in re-invent recently. And we're very passionate about this because security leak, right? It became a service now, storing, normalizing, and holding the data becomes a service now. So number one, you can centralize data. You can put all the data there. And I'll show you in a bit how it looks like, so to manage expectation. And this is not a sim. People ask me, is it a sim? It's not a sim, right? It's a place where you put data so you can analyze later, right? And you can optimize, right? When I say optimize, right? You don't have to have multiple places where you store security data. One concern of a customer is, hey, I'm subscribing to this vendor. I'm subscribing to that vendor. My big data, my security data's all over. How do I make sure that, you know, it's centralized, right? Number three is normalize. When I say normalize, you see that in United Nations, it will auto translate, it will help you normalize that content to make it fit to the OCSF. And the last one is analyze. So when you have security analysis tools, I'll show you later how it looks like. Security analysis tools, you're able to, you know, make sure that you're able to make sure that any analysis, any tool can just call my data, analyze it and give me my analysis, right? So how does it work, right? So this is a terminology, right? I'll show you in the demo later. We have sources, right? Sources is basically any security tool that you have. But from AWS native, right? It supports on the box, right? Out of box, security hub, cloud trail, route 53, VPC flow logs. But you can also use it from security tools, like the 16 companies that I just showed you, right? Customer data. Customer data means, as long as you can, for example, right? I wanna show my inventory of my devices, my IOT devices. As long as it's in that format, you can ingest data there. You can put it as an asset inside your system. Now, security like does all the heavy lifting of the stuff for you, for example, right? Data normalization, subscriber management, and I'll show you subscriber management. And it allows you the OCSF and then retention and centralization, very, very important because you have multiple data sources now. How do you centralize them? And then you got subscribers, right? From a native service, right? You can use SageMaker and Athena, right? Athena, if you wanna do queries, you can use Athena to query the logs, right? Or you can use third party tools, right? If you look at the industry now, like the Buzzword viewers back as XDR. But the thing with XDR is, the number one criticism of XDR products is, hey, XDR only can ingest data from those vendors. That's a big problem, right? So basically, if I'm a builder, I have a choice. If I'm a company, I have a choice, which tools to analyze my data. I have a choice, where do I store my data, right? And I can pick the best of class protection service. I'm not stuck, I mean, I'm not stuck with one platform. It gives me flexibility on how I want to run my security operations. Which is, if you ask me opinion, I'm always for freedom of choice of consumers. Now, I'll show you demo. All right, so yeah, if the internet doesn't work, I already put everything on tabs, so I don't have to press any buttons. Oh, I just got the demo, it's in preview, so I just got it this morning. So please excuse me for the, yeah. So how does it look like, right? So I have sources, I have 28 sources, right? Let me show you the sources. So I have 28 sources, and you see here, why is there only four? I configured seven regions for sources. So it takes data from CloudTrail, VPC Flow Logs, Route 53 and Security Hub from seven regions, four services, so you have 28, right? So let's go back, right? So there's subscribers, right? You can see subscribers. I don't have any subscribers yet because, sorry, I just didn't have time to prepare the analytics to download it, but I have a screenshot of how it looks like. And you can also, so you have the native sources, you got customized sources, right? So you can go to customized source, right? And you can add. So you can add your customized source. Trend Micro, we have a guide on how do you ingest those sources. We have a guide on how do you ingest those sources from various, from activity. So basically, we already normalize it, and then we will send it to Security Lake already, right? So we have this instruction. I didn't like, I'm doing a cooking show style here, so this is the instructions and this is the result. So da-da, just sends all the logs here, right? So that's how it is, right? It's in preview, it's gonna come out soon, but yeah, that's how it looks like, very simple product. But people ask me, where's the search? Where's the analysis? Security Lake does not do that. You have to use Athena or you have to use XDR tool or you have to use SageMaker to do that analysis. This is simply a very efficient way of storing all your security data, right? So what's happening under the hood, right? So basically it uses two services, S3 and Glue, right? So basically, it creates buckets where you store data. It's all under the hood, it does the stuff for you, right? And then it will transform the data, right? Using Apache Parquet. It transforms the data to normalize it to OCSF. So like for example, you're gonna attack, you're gonna malware attack, it will normalize it to OCSF, right? And then it will create and update AWS Glue, Tables and Partitions. So it will organize the data for you already. So this is a lot of guesswork that is being removed, right? If you want to use this product, right? And you're using technology security tools, gotta ask your vendor, could you please make sure that you send data to the security lake so that we can analyze and store it properly, right? So again, like what I said, right? You can bring all your security data, not just from any particular vendor, you can actually do transformation as well. You have your own tool, right? You have your own internal tooling. You can convert all of that as long as it's on OCSF, you can send it to security lake. So how does it look now, right? You send all your tools to security lake, you remove the normalization and you just go straight to analysis, which is very, if you ask my opinion, very, very efficient for people. Makes it very efficient for people to manage and analyze the data. We just removed the normalization, but one thing that we always worry is data storage. Now, if you use AWS and you know how AWS security works, right? You can pretty much configure it to the way you like, expiry, access control. So you have more freedom on how you use your data or how you store your data, right? So from trend micro perspective, I didn't have the analysis demo awhile ago, but this is the screenshot. So trend micro can ingest that data and actually make sense out of it. Now that, I'm showing an example from a cloud trail log. So trend micro can also do that. So basically from the analysis part, we also have an engine doing the analysis. So for us, it allows us, if in this security lake, right? It allows us, it allows our platform to be open for other vendors as well. We're not, it removes, technically, it removes any vendor locking from us. So you can use any, like for example, I wanna buy this from, you know, I wanna buy this vendor container security. I wanna buy this vendor serverless security. I wanna buy this vendor EC2 security. I wanna correlate them because this company has a better correlation. This is what it solves. This is the thing that it does, right? And in summary, oh, I only have 15 minutes, but yeah, very easy presentation. Summary, yeah, it gives you freedom of choice. You know, you can, you don't, you're not tied into a specific ecosystem anymore, right? As long as you're, you know, as long as they use that format, you can dump it there. Again, because most of the questions that I have from customers, right, is you're protecting us, but you know, that's your data center, this vendor, that's your data center, that vendor. It removes that problem for us. It makes us easy, it makes it easy for us to, hey, you know, use security lake, OCSF, okay, just dump it there. You use your own analysis tool, right? It's in previous seven regions. I heard someone told me it's gonna, it's not in Singapore yet. It's not in APSAU this one yet, but I heard it's gonna come out soon in GA, but yeah, the pricing is quite reasonable. Terabytes, yeah, it's quite reasonable. Right, oh, sorry, yeah. And thank you very much. We have this, we have this plug again. QR code scan, then they're gonna, they're gonna do a lucky draw for BitSuitePro later. But yeah, that's it. Thank you very much, user group, for today.